Configuring Logging For An Access Control Entry - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Logging Access List Activity
If the security appliance is attacked, the number of system messages for denied packets can be very large.
We recommend that you instead enable logging using system message 106100, which provides statistics
for each ACE and lets you limit the number of system messages produced. Alternatively, you can disable
all logging.
Only ACEs in the access list generate logging messages; the implicit deny at the end of the access list
Note
does not generate a message. If you want all denied traffic to generate messages, add the implicit ACE
manually to the end of the access list, as follows.
hostname(config)# access-list TEST deny ip any any log
The log options at the end of the extended access-list command lets you to set the following behavior:
•
•
•
System message 106100 is in the following form:
%ASA|PIX-n-106100: access-list acl_id {permitted | denied} protocol
interface_name / source_address ( source_port ) -> interface_name / dest_address ( dest_port )
hit-cnt number ({first hit | number -second interval})
When you enable logging for message 106100, if a packet matches an ACE, the security appliance
creates a flow entry to track the number of packets received within a specific interval. The security
appliance generates a system message at the first hit and at the end of each interval, identifying the total
number of hits during the interval. At the end of each interval, the security appliance resets the hit count
to 0. If no packets match the ACE during an interval, the security appliance deletes the flow entry.
A flow is defined by the source and destination IP addresses, protocols, and ports. Because the source
port might differ for a new connection between the same two hosts, you might not see the same flow
increment because a new flow was created for the connection. See the
on page 16-21
Permitted packets that belong to established connections do not need to be checked against access lists;
only the initial packet is logged and included in the hit count. For connectionless protocols, such as
ICMP, all packets are logged even if they are permitted, and all denied packets are logged.
See the Cisco Security Appliance Logging Configuration and System Log Messages for detailed
information about this system message.
Configuring Logging for an Access Control Entry
To configure logging for an ACE, see the following information about the log option:
hostname(config)# access-list access_list_name [extended] {deny | permit}... [log [[ level ]
[interval secs ] | disable | default]]
See the
section on page 16-11
If you enter the log option without any arguments, you enable system log message 106100 at the default
level (6) and for the default interval (300 seconds). See the following options:
•
Cisco Security Appliance Command Line Configuration Guide
16-20
Enable message 106100 instead of message 106023
Disable all logging
Return to the default logging using message 106023
to limit the number of logging flows.
"Adding an Extended Access List" section on page 16-5
for complete access-list command syntax.
level—A severity level between 0 and 7. The default is 6.
Chapter 16
Identifying Traffic with Access Lists
"Managing Deny Flows" section
and
"Adding a Webtype Access List"
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
